Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a Browser Hijack


  • This topic is locked This topic is locked
22 replies to this topic

#1 osusteven

osusteven

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 26 November 2009 - 09:46 PM

My sister managed to get a virus on her laptop. She clicked on one of those fake anti-virus ads online. I got rid of most of it using the usual suspects, but I'm left with a browser hijack problem. If I do a google search, when I click on the results some of them will redirect through 3-4 websites before landing on a random site. For example, I searched for "cell phone" and I clicked on the first result, which was www.verizonwireless.com. I got redirected through these websites.

http://isur.com/search.php

http://206.161.121.115/go.php?c=SSJQDpW%2FSDqS5agONJqC8UVzl%2FTQL81Oo09LAjnCIYoNcRXjnG3WDxGIP46L6%2BplxI9C38Vo%2F4%2FuXBcvBXsf%2FIRAVgeIMgnoV5c5lXf0qTFH5qDo6DIEKGrikUbR3%2ByJJ1fzJXm99C2EYeKgUJMEL%2Fi48Y4%2BJCzsxzj68TZSyvOgu94FLpqo40rdvNs%2BVadWYY8Of42YQHAThrnvqClLV20z4BcZHDoATIl485Z97bv%2FbYyjvNNFD7Dhkzb9yGXx9MVClOR98AOnTRhqZBrP2cP1FX5HqG7K0Y3LCGBdOmycHxsFZy0lOxeicxU4SsHn%2BLFDRN55k3CvWovOIndHBoX6caa2JuhabfBlDm8IiQYTRcMhz5y3GDkjddm%2FeqBDsC1zAYcfZDzFKgxY6Un0zHC0v7%2BP8B68lDSZuxLB4M3xONQjfjEnC1%2BNXY1m0TZlKMYTNiyQcnjknYkYK4fMqNVQ08pir1o6FIJmvqrUVcOS6wieDZOJLbYXcC34wJNW

http://atl.mv.bidsystem.com/bin/findwhat.dll?clickthrough&y=52593&x=;cZfx4pu7q:nrqSG82xLm:;Sy224izxi7Z;tV:;VI73mmZQw0ZDqRFeIKNx:g;1xLIFieEnDu6VMp06aLzDnCapscaVY:ubuSuv5z42BxF4e00vJ71Z:44u1S:kV7FSfeNQdUUZKfN;eiY46MS5Jz0xqv8ZLyUe9Re0WJuys5SkC18VfiS2FkYB4ca:mfebaGSkEcG$GL

http://kc.mv.bidsystem.com/bin/findwhat.dll?clickthrough&y=52593&x=SBF1lpSjLam9jy7XKIksdodx0XuTIMkVLsdriLdw3HRAdssCok8DF2vzJYkhwSCJq:qV5BUNpIAHzLDOqM89rNSIY3Ac9KXj:p:yspuBl2bGoo:LLUFhapV6:LLwL2715Ys8MMFl;YdGISb;C:ILsLkDcyFs0MvdFkWktK2ID:LbByA1IAuZm8oTY3mA;kXO0ALm2PSVd2a$H&c=827AA7C2%2DBE85%2D43ED%2DAE2F%2D1384B530FE22

http://www.lifestylelynx.com/search-results.aspx?keywords=cell+phones&creativeid=283EF7B7%2D7D1C%2D4A38%2D92B0%2DBC2045015BEA&referrer=Miva-D&camp=Miva-D-Goose-LifeStyleLynx&group=cell+phones&keyword=cell+phones

http://www.lifestylelynx.com/search-results.aspx?keywords=cell+phones


Different websites will show up each time. I've tried to figure out what I but google hasn't been any help.

Here is my DDS log.




DDS (Ver_09-11-24.02) - NTFSx86
Run by Melissa at 20:51:51.46 on Thu 11/26/2009
Internet Explorer: 7.0.6000.16916
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1982.917 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1367 [VPS 091126-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1367 [VPS 091126-1] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Picaboo\Picaboo\PicabooMain.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Users\Melissa\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: HP Print Clips: {ffffffff-ff12-44c5-91ec-068e3aa1b2d7} - c:\program files\hp\smart web printing\hpswp_framework.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
StartupFolder: c:\users\melissa\appdata\roaming\micros~1\windows\startm~1\programs\startup\picaboo.lnk - c:\program files\picaboo\picaboo\PicabooMain.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: DisableTaskMgr =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/36.15/uploader2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\melissa\appdata\roaming\mozilla\firefox\profiles\5ssfvti1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13122.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\melissa\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\melissa\appdata\roaming\mozilla\firefox\profiles\5ssfvti1.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-25 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-6 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-25 360584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-25 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-25 53328]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-25 285392]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-2-3 47640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-25 1153368]

=============== Created Last 30 ================

2009-11-26 06:35:38 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-26 06:30:48 0 d-----w- C:\7822134c7cd054441d
2009-11-26 00:01:04 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-25 23:58:09 1406464 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 23:58:09 1260032 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 23:58:08 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-11-25 23:58:08 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-11-25 23:58:02 713728 ----a-w- c:\windows\system32\timedate.cpl
2009-11-25 23:57:59 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-25 23:57:34 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 04:57:32 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-01 15:25:15 0 d-----w- c:\users\melissa\appdata\roaming\Malwarebytes
2009-11-01 15:25:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 15:25:08 0 d-----w- c:\programdata\Malwarebytes
2009-11-01 15:25:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 15:25:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 15:01:10 0 d-----w- c:\program files\CCleaner
2009-11-01 14:51:26 0 d-----w- c:\program files\Trend Micro
2009-10-29 10:56:05 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-29 10:52:18 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-29 10:50:05 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-29 10:50:05 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-28 22:55:05 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 22:54:57 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 22:54:57 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-10-28 22:54:57 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 22:54:54 8147968 ----a-w- c:\windows\system32\wmploc.DLL

==================== Find3M ====================

2009-11-27 01:04:31 42173 ----a-w- c:\programdata\nvModes.dat
2009-11-09 23:34:21 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-25 14:42:27 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-25 14:42:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-01 21:06:18 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-01 21:06:18 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-10-01 21:06:17 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-10-01 14:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-20 18:43:57 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-09-20 18:43:57 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-20 18:43:57 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 20:51:42 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-09-08 20:51:42 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-09-04 12:38:11 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 15:21:17 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 15:17:39 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-08-31 15:16:28 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-05-16 07:08:45 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-12-12 08:21:16 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-02-16 13:49:06 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-02-16 13:49:06 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-02-16 13:49:06 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 20:53:05.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:17 AM

Posted 01 December 2009 - 11:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 osusteven

osusteven
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 03 December 2009 - 12:01 AM

DDS (Ver_09-11-24.02) - NTFSx86
Run by Melissa at 23:54:27.37 on Wed 12/02/2009
Internet Explorer: 7.0.6000.16916
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1982.767 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1367 [VPS 091203-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1367 [VPS 091203-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Picaboo\Picaboo\PicabooMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Melissa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: HP Print Clips: {ffffffff-ff12-44c5-91ec-068e3aa1b2d7} - c:\program files\hp\smart web printing\hpswp_framework.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
StartupFolder: c:\users\melissa\appdata\roaming\micros~1\windows\startm~1\programs\startup\picaboo.lnk - c:\program files\picaboo\picaboo\PicabooMain.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: DisableTaskMgr =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/36.15/uploader2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\melissa\appdata\roaming\mozilla\firefox\profiles\5ssfvti1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13122.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\melissa\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\melissa\appdata\roaming\mozilla\firefox\profiles\5ssfvti1.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-25 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-6 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-25 360584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-25 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-25 53328]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-25 285392]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-2-3 47640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-25 1153368]

=============== Created Last 30 ================

2009-11-26 06:35:38 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-26 06:30:48 0 d-----w- C:\7822134c7cd054441d
2009-11-26 00:01:04 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-25 23:58:09 1406464 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 23:58:09 1260032 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 23:58:08 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-11-25 23:58:08 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-11-25 23:58:02 713728 ----a-w- c:\windows\system32\timedate.cpl
2009-11-25 23:57:59 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-25 23:57:34 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 04:57:32 1383424 ----a-w- c:\windows\system32\mshtml.tlb

==================== Find3M ====================

2009-11-30 22:25:13 42173 ----a-w- c:\programdata\nvModes.dat
2009-11-09 23:34:21 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-25 14:42:27 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-25 14:42:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-01 21:06:18 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-01 21:06:18 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-10-01 21:06:17 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-10-01 14:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-20 18:43:57 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-09-20 18:43:57 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-20 18:43:57 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-10 17:40:11 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-10 17:39:44 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:29:54 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 15:29:34 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-09-08 20:51:42 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-09-08 20:51:42 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-09-04 12:38:11 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-05-16 07:08:45 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-12-12 08:21:16 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-02-16 13:49:06 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-02-16 13:49:06 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-02-16 13:49:06 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 23:57:35.05 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 AM

Posted 03 December 2009 - 08:32 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 osusteven

osusteven
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 03 December 2009 - 09:25 PM

I'm here! Thanks.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 AM

Posted 04 December 2009 - 08:41 PM

Firstly, there are two antiviruses on your system.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Avast.

Let's see if we have rootkit activity before we start running some removal kit

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Thanks :(

Edited by m0le, 04 December 2009 - 08:42 PM.

Posted Image
m0le is a proud member of UNITE

#7 osusteven

osusteven
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 05 December 2009 - 12:37 PM

I uninstalled Avast and restarted. I then tried running Root Repeal, but I had several problems. First, I got this error when starting Root Repeal.

FOPS - DeviceIoControl Error! Error Code = 0xc0000024


I attached a screenshot of that error.

I then tried Report and then Scan, but then I had several more errors, which led to the program crashing. It wasn't able to complete a report for me. Here are the other errors.

Could not initialize driver! Please contact the author!

Error dumping SSDT (0xc0000024)!

Attempt to read from address: 0x00000004

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 AM

Posted 05 December 2009 - 04:10 PM

Please start RootRepeal, and, before doing anything else, try changing the "Disk Access Level" in the Settings->Options dialog. Try moving it to the "Special" or "High" level. Also, click on the Files tab, and uncheck "Use lowest level for MBR check". Please let me know if this fixes the problem.
Posted Image
m0le is a proud member of UNITE

#9 osusteven

osusteven
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 06 December 2009 - 03:01 AM

I tried those settings but it didn't help.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 AM

Posted 06 December 2009 - 05:47 AM

Looks like something is interfering with RootRepeal. Let's try another rootkit scanner

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Please also run this program which searches for a specific threat

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#11 osusteven

osusteven
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 06 December 2009 - 12:09 PM

Gmer Log

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 12:05:45
Windows 6.0.6000
Running: 5jsjmo40.exe; Driver: C:\Users\Melissa\AppData\Local\Temp\uxrdapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x8040B02C]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8B4BE340, 0x3FA057, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\SearchProtocolHost.exe[452] @ C:\Windows\system32\ole32.dll [USER32.dll!DialogBoxParamW] [6DF5D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\SearchProtocolHost.exe[452] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamW] [6DF5D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\SearchProtocolHost.exe[452] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DialogBoxParamW] [6DF5D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\SearchProtocolHost.exe[452] @ C:\Windows\system32\WININET.dll [USER32.dll!DialogBoxParamW] [6DF5D6EF] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\00000609 -> \Driver\atapi \Device\Harddisk0\DR0 847AA50C

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


win32kdiag

Running from: C:\Users\Melissa\Desktop\win32kdiag.exe

Log file at : C:\Users\Melissa\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-12-06 10:46:43 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-12-06 10:44:15 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-12-06 10:44:42 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-12-06 10:44:42 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()





Finished!



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 AM

Posted 06 December 2009 - 01:02 PM

We have a modified system file which means an infected system file.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

That should find and replace it :(
Posted Image
m0le is a proud member of UNITE

#13 osusteven

osusteven
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 06 December 2009 - 02:57 PM

ComboFix Log

ComboFix 09-12-06.06 - Melissa 12/06/2009 14:24.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1982.1105 [GMT -5:00]
Running from: c:\users\Melissa\Desktop\ComFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-4289245856-2854807069-399657881-500
c:\$recycle.bin\S-1-5-21-747642811-3982433225-4087218088-500
c:\windows\system32\KBL.LOG
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-12-06 19:41 . 2009-12-06 19:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-06 19:41 . 2009-12-06 19:41 -------- d-----w- c:\users\Matt\AppData\Local\temp
2009-12-06 19:41 . 2009-12-06 19:41 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-26 06:35 . 2009-10-29 07:59 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-26 06:30 . 2009-11-26 06:34 -------- d-----w- C:\7822134c7cd054441d
2009-11-26 00:00 . 2009-11-26 00:00 -------- d-----w- c:\program files\Alwil Software
2009-11-25 23:58 . 2009-08-10 13:05 1406464 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 23:58 . 2009-08-10 13:05 1260032 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 23:58 . 2009-08-10 13:05 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-11-25 23:58 . 2009-08-10 13:05 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-11-25 23:57 . 2009-08-14 14:01 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-25 23:57 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-25 23:39 . 2009-11-09 23:34 4026136 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2009-11-25 23:39 . 2009-11-09 23:34 2016536 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2009-11-25 23:39 . 2009-11-09 23:34 1257240 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2009-11-25 23:39 . 2009-11-09 23:33 3963672 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-11-25 23:36 . 2009-11-09 23:33 1657112 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-06 19:00 . 2009-02-17 22:38 42173 ----a-w- c:\programdata\nvModes.dat
2009-12-06 15:16 . 2008-03-22 21:39 7944 ----a-w- c:\users\Melissa\AppData\Local\d3d9caps.dat
2009-12-06 07:56 . 2008-02-04 01:33 53248 d-----w- c:\program files\LogMeIn
2009-11-26 14:48 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-26 06:37 . 2007-12-06 04:46 8192 d-----w- c:\programdata\Microsoft Help
2009-11-09 23:34 . 2009-10-25 14:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-01 15:25 . 2009-11-01 15:25 -------- d-----w- c:\users\Melissa\AppData\Roaming\Malwarebytes
2009-11-01 15:25 . 2009-11-01 15:25 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 15:25 . 2009-11-01 15:25 -------- d-----w- c:\programdata\Malwarebytes
2009-11-01 15:01 . 2009-11-01 15:01 -------- d-----w- c:\program files\CCleaner
2009-11-01 14:51 . 2009-11-01 14:51 -------- d-----w- c:\program files\Trend Micro
2009-10-31 23:28 . 2007-12-11 23:04 -------- d-----w- c:\programdata\NVIDIA
2009-10-25 23:56 . 2009-10-25 07:59 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-25 14:43 . 2008-08-07 03:10 4096 d-----w- c:\programdata\avg8
2009-10-25 14:42 . 2009-02-07 14:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-25 14:42 . 2008-08-07 03:11 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-25 14:42 . 2008-08-07 03:11 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-25 14:41 . 2009-10-25 14:41 4096 d-----w- c:\programdata\avg9
2009-10-25 14:41 . 2008-08-07 03:10 -------- d-----w- c:\program files\AVG
2009-10-25 08:28 . 2009-10-25 08:28 -------- dc----w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-25 08:00 . 2009-10-25 07:59 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-08 03:22 . 2008-01-21 21:31 123960 ----a-w- c:\users\Matt\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-06 11:06 . 2008-01-18 13:23 123960 ----a-w- c:\users\Melissa\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-04 18:44 . 2009-10-04 18:44 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-01 21:06 . 2008-02-04 01:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-01 21:06 . 2008-02-04 01:34 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-10-01 21:06 . 2008-02-04 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-10-01 14:29 . 2009-10-02 21:33 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-26 11:41 . 2009-09-26 11:41 126970 ----a-w- c:\users\Melissa\AppData\Roaming\Move Networks\uninstall.exe
2009-09-26 11:41 . 2009-08-03 21:48 4187512 ----a-w- c:\users\Melissa\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
2009-09-14 09:50 . 2009-10-16 19:06 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 19:54 . 2009-11-01 15:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-11-01 15:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 17:40 . 2009-10-28 22:54 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-10 17:39 . 2009-10-28 22:54 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-10 17:38 . 2009-10-16 19:47 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:29 . 2009-10-28 22:54 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 15:29 . 2009-10-28 22:55 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-09-08 20:51 . 2007-11-15 23:46 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-09-08 20:51 . 2007-11-15 23:46 25248 ----a-w- c:\windows\system32\lmimirr.dll
2008-02-28 18:30 . 2008-02-04 01:39 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 18:33 . 2008-02-04 01:39 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.

------- Sigcheck -------

[-] 2008-02-14 01:04 . D51F41E0141333258FEE9583CD455ABC . 21560 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2008-02-14 . B35CFCEF838382AB6490B321C87EDF17 . 21560 . . [6.0.6000.16632] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[7] 2008-01-19 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun" [X]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-12-06 1006264]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-06 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-25 2020120]

c:\users\Melissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Picaboo.lnk - c:\program files\Picaboo\Picaboo\PicabooMain.exe [2008-2-28 577536]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-17 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [8/6/2008 10:11 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/25/2009 9:41 AM 360584]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [2/3/2008 8:34 PM 47640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [10/25/2009 2:59 AM 1153368]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/25/2009 9:41 AM 285392]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
FF - ProfilePath - c:\users\Melissa\AppData\Roaming\Mozilla\Firefox\Profiles\5ssfvti1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13122.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Melissa\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\Melissa\AppData\Roaming\Mozilla\Firefox\Profiles\5ssfvti1.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-Move Networks Player - IE - c:\users\Melissa\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\NVUNINST.EXE UninstallGUI
AddRemove-CS - c:\program files\CS\cs.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 14:42
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x847AD50C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82406d1f
\Driver\ACPI -> acpi.sys @ 0x802329d6
\Driver\atapi -> ataport.SYS @ 0x807e69c6
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x81d95467
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x81d95467
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-06 14:47
ComboFix-quarantined-files.txt 2009-12-06 19:47

Pre-Run: 95,392,190,464 bytes free
Post-Run: 95,407,022,080 bytes free

- - End Of File - - 822080C8FF80E4AA2B1DF2C31A809E6F



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:17 AM

Posted 06 December 2009 - 04:56 PM

Combofix has not automatically replaced it so we will run a script to do this

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Fcopy::
c:\windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys | C:\Windows\system32\drivers\atapi.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Let me know how the PC is running too :(
Posted Image
m0le is a proud member of UNITE

#15 osusteven

osusteven
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 06 December 2009 - 11:38 PM

I tried that a few times but my computer kept restarting during the process. I think it got to around step 38 or so, and it would just restart. There was no log file to be found.

The browser hijack is still active.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users